HAPRoxy Configuration is throwing SSL Handshake error in Production

Question

Facing SSL handshake failure with the the below HAProxy configuration and Outage in our production environment.

Flow:

• We are using a Load balancer to distribute the traffic between the servers
• Server Proxy request has been handled by the HAProxy
• HAProxy is taking care of proxying the request to the backend server

HAPROXY Configuration:

global
        log /dev/log    local0 debug
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon


###Default SSL material locations
    ca-base /etc/haproxy/ssl
    crt-base /etc/haproxy/ssl


        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 504 /etc/haproxy/errors/504.http
frontend haproxy.service
             bind *:80
             bind *:443  ssl crt /etc/haproxy/ssl/test.pem ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
             http-request redirect scheme https unless { ssl_fc }
             default_backend backend.services


backend backendservices
             balance roundrobin
             server  backend.service 127.0.0.1:5001

I found in Internet that SSL handshake may happen due to the below scenarios

• Protocol Mismatch -Tested all the TLS version(TLS 1.0,TLS 1.1,TLS 1.2,TLS 1.3) still facing SSL handshake failure
• Cipher Suite Mismatch
  • Tested with the existing working Cipher suite in the HAProxy configuration
  • Not sure with the cipher suite. which suite will work for the above configuration?
• Incorrect Certificate
  • Checked with SSL checker passed it.

Outputs of the below related commands:

curl -v --tls-max 1.2 https://server.com/health 

• It says connected
• SSL verification Successful
• HTTP/1.1 200 ok message

Error Message:

ALPN, server did not agree to a protocol

• How can we handle this error message?

1. Solution for the SSL handshake failure

2. Cipher suite suggestions

3. What are the further areas we can test.

4. Suggestions/solutions to handle this error

   ALPN, server did not agree to a protocol